RatCTF
Challenge Board
Log in to reveal challenge IPs.
🧩 LDAP Lab · 2 Machines
A two-machine Active Directory lab. Enumerate the domain controller’s SMB shares and a vulnerable employee portal, then chain credential leaks across both machines to achieve full domain compromise.
🧩 LDAP Lab · 2 Machines
A two-machine Active Directory lab focused on MS14-025 (GPP credential harvest). Start with an exposed backup config on the workstation, then pivot to the domain controller via SYSVOL to decrypt the service account password and achieve root.
🧩 LDAP Lab · 1 Machine
A three-machine Active Directory lab focused on network pivoting. Only the domain controller is exposed to the internet. Players must chain SMB credential harvesting on the DC, SSH tunnelling, unrestricted file-upload RCE on the internal web server, and MySQL credential extraction on the internal database to fully compromise all three machines.
Every enterprise has a directory. Bindforge's directory holds the full map of who has access to what — accounts, groups, and a few fields that the original engineer populated a little too liberally. It was only ever meant to be accessed from inside the building.
The Rootbase server has been the backbone of three different applications over five years. Each team that inherited it assumed the previous one had secured it properly. None of them checked.
Keyspace was provisioned as a temporary caching layer during a product launch. The launch went well. The cleanup never happened. The server is still running, still reachable, and nobody on the current team knows its password — or whether it has one.
Driftsync runs nightly, faithfully mirroring data from one machine to the next. The engineer who wrote the job configured it to be 'easy to use'. He was proud of how accessible he'd made it. That was two years ago.
Bifrost was set up to bridge two legacy teams who couldn't agree on a file-sharing standard. So they ran both. Twice the surface, half the oversight. Somewhere in the middle of all that data lives a path forward.
Walkabout is the network monitoring node that nobody monitors. It has a view of every device on the segment — interface stats, process lists, everything the ops team ever thought to wire up. It reports faithfully to whoever asks.
Neuravex is CorpTech's shiny new internal AI assistant. The engineers shipped it fast, the executives loved it, and nobody asked too many questions about how it was built. It knows a lot. It's happy to talk. The question is how to make it tell you the right things.
The employee portal was built by a contractor in 2019, accepted without a security review, and has been quietly running ever since. It handles timesheets, leave requests, and a few internal tools nobody fully remembers adding. The codebase has never been audited.
The document viewer was built over a long weekend to replace a tool that no longer worked. It went live on Monday. It has never been reviewed. The developer who built it is very proud of how quickly it shipped.
The NFS server was set up to make file access easy across the team. It succeeded. It made access very easy. The engineer who configured it trusted the network perimeter to do the hard work — a decision that made sense at the time.
The sysadmin who ran Shellcast was meticulous about backups. Every week, a snapshot. Every directory, archived. He never thought carefully about what those backups contained — or where they were stored.
Darkpulse is a full Active Directory environment built by an ops team that grew too fast to keep up with its own complexity. Every layer trusts the one beneath it. The monitoring system has a view of everything — and so will you, once you understand what it's reporting.
🕐 Launching soon
In calculating...
Foxhole's authentication system was written by a developer who read the documentation, just not all of it. The gate looks solid from the outside. The question is whether you understand how the lock actually works.
🕐 Launching soon
In calculating...
Tracewire's FTP server was used once, during a late-night maintenance window, by an engineer who was troubleshooting a network issue and capturing everything. The capture was archived. The archive was left on the server. The session contained more than just packet headers.
Tempest is an internal reporting tool that the development team is quietly proud of. It renders fast, it looks clean, and it was built without once consulting the documentation on safe input handling.
DocuParse processes invoices for an accounts team that needed automation fast. The developer who built it enabled every feature the XML library offered, valued flexibility, and shipped the Friday before a long weekend.
Jailkey is the authentication layer for a suite of internal tools. The team built it themselves rather than pulling in a dependency. They were thorough. They were careful. They just left one door open that they assumed nobody would find.
HexVault is a classified document management system used by a fictional intelligence contractor. It stores sensitive material, controls access carefully, and presents a surface that looks more hardened than it is. No single weakness hands you the keys — but every component has something it trusts a little too much.
Codebleed runs the internal DevOps portal for a team that moves fast. The current deployment looks clean — polished, even. But software has a memory, and this server has been around long enough to have accumulated a history worth reading.
Capsule is a data platform that was provisioned for a project, shipped on time, and handed to ops without a security checklist. The database is reachable. The data inside it is more useful than the team intended. And somewhere on this machine, a capability was granted that nobody thought to revoke.
Debugtrap is a Flask application running in an environment that was never quite finished. The developer tested locally, pushed to production, and moved on to the next feature. Somewhere between development and deployment, a setting that should have changed did not.
StackDrop was built in a sprint by a developer who no longer works there. It does one thing: accept files from the build pipeline and make them available to the team. The handoff notes say it was hardened before go-live. The new team assumed that meant it was done.
r4tking built his own private operations platform — implant registry, remote probe, operator management. He thought it was locked down. Find the cracks, chain them together, and own the machine from web panel to root shell. Nothing here is accidental.
MirrorNet Corp ran a covert data intelligence platform. After their takedown, one server was left running. The admin swore it was hardened — 'everything real is behind another layer'. Dozens of researchers have tried. They all came back with flags. Every one of them was fake.
The SolarGate incident team flagged unusual activity on prod-web-01. A file-upload vulnerability gave an attacker a foothold as www-data, and the logs show things escalated from there. Your job: step into the analyst's seat, reconstruct what happened, and finish the job the attacker started.
Inkblot runs an internal CMS built by someone who trusted their logs a little too much. The file inclusion is right there. What you put in the request is what ends up in the log. What ends up in the log ends up on the page.
🕐 Launching soon
In calculating...
Blindspot is an internal URL validation tool. It checks whether endpoints are reachable — and it makes those requests from the server. There's an internal configuration service that wasn't supposed to be externally accessible.
🕐 Launching soon
In calculating...
TokenSmith is an internal OAuth 2.0 provider. It handles authorization flows and issues tokens to clients. There's a known issue in the tracker about redirect_uri validation — issue #214, filed months ago, still open.
🕐 Launching soon
In calculating...
Threadbare runs a privileged file integrity checker. It verifies that you own a file before reading it as root. The check and the read are two separate operations — and the filesystem doesn't stand still between them.
Breakout is an internal container management console that was meant to be ops-only. Someone left a debug endpoint live. The container has more access to the runtime than it should — and so do you.
Shapeshifter is an internal developer profile service built with Node.js. It lets users update their profile data through a flexible merge endpoint — one that trusts deeply nested JSON a little too much.
Synapse is an internal ML Model Hub that lets data science teams upload and share serialized model files. The platform loads every uploaded model automatically — trusting the data because trust is faster than validation.
NullSecurityX runs an internal bug bounty triage platform. The dev team pushed source code to production with the .git directory intact. Three vulnerabilities to chain — none of them obvious until you look closely.
SolarGate Energy's solar monitoring server has a misconfigured Python binary and a web service that's a little too helpful. Foothold first, SUID second.
The Meridian central data hub runs a root-owned cleanup task every minute. Someone on the ops team made the script world-writable. They trusted the filesystem more than they should have.
VoltCore's network diagnostics panel passes your input straight to ping. The sudo policy for the next hop is generous. Two steps to root.
GridLock's power management node runs awk as root for log analysis. The IT team didn't read the GTFOBins entry for awk. You did.
Apex is the hardest node in the SolarGate network. The document reader doesn't validate paths. Python has a capability it shouldn't. Chain them.
No challenges match the selected filters.
☠ Infection Chain
Find hidden fragment codes scattered across machines and unlock The Burrow — a secret area for those who dig deep.